Access control can be defined as enforcing data-use or other object-use permissions that grant or deny access to content or applications. In this context, data-use can include a broad selection of functions such as reading, changing, executing, creating, overwriting, or deleting. The ability to change access permissions is another type of access that can be granted or denied.
Access control should be considered in a system approach in which a strong user (entity or member) identification and authorization (I&A) process-plays a role. An exemplary system for user identification is described in a co-pending U.S. patent application, Ser. No. 10/060,039, filed on Jan. 30, 2002, the entire disclosure of which is incorporated herein by this reference.
Thus, the goal is to provide access control to objects such as data and applications. It should be flexible and suitable for implementing a variety of different schemes, such as discretionary access controls (DAC) and mandatory access controls (MAC). The key management system should be suitable for implementing a role-based access control system (RBAC). These controls should support content-based access control architectures that provide a very granular object level enforcement or that enable an expanded access.